During the lockdown due to the coronavirus, I’m struck by how rapidly society and healthcare are adapting to remote working in alignment with the government guidance in the UK. We have seen increasing tolerance towards using internet-facing systems for care of vulnerable patients and temporary relaxation of data protection and cyber security standards for health and social care.
I’ve read the recent Cyber Security Breaches Survey from the DCMS(Department of Culture Media and Sport) with interest, given that we are likely heading towards a new normal post CoVID-19 as society becomes more used to working outside of defined physical boundaries.
Are we ready for the new normal?
You may think from the responses to this year’s survey that business is ready to adopt new ways of reworking safely, given that 80% of all organisations survey said that cyber security was of importance to their executive board.
However, once you look towards the remainder of responses there is still a disconnect between what the board thinks it wants and what it actually does.
Are boards managing cyber security?
Only 37% of the organisations have a director on the board with responsibility for cyber security, and only 43% have staff with responsibility for it.
The trend continues when you are looking at those organisations carrying out risks assessments (37%) or have defined cyber security policies (38%).
Only 25% of organisations cover remote working in their policies and only 30% conduct user awareness of security issues.
It’s obvious that the importance being placed on cyber security at a board level isn’t being translated into integration with existing corporate governance processes. This is important when you look at the recently updated Orange Book, which contains questions to ask to determine the effectiveness of corporate governance.
Are organisations ready for a future of increased remote working?
The bedrock of good governance is understanding the information being processed, and this fares slightly better with 48% of organisations classifying their data. That said, this basic trigger for controls is still immature.
The reality is that the more you move outside the physical working environment, the more you become reliant on the supply chain, how well you understand the obligations for information management and the protective monitoring/incident management of the environments that your information is processed within.
The DCMS study provides some sobering data here too, with only 15% or organisations reviewing their immediate supply chain risks, despite 69% of organisations backing their data up to the Cloud. This figure is even more damning within those organisations that have placed the highest levels of importance on cyber security, where only 24% of those organisations having reviewed their immediate supply chain and 14% having reviewed their risks within the wider supply chain.
Ignorance isn’t bliss
Commentary within the study from respondents makes it clear that a lack of structured questions to ask are a barrier, but only 1% of organisations check ICO (Information Commissioner’s Office) guidance and 2% of organisations check the NCSC (National Cyber Security Centre) guidance.
If organisations aren’t reviewing the guidance on data protection and cyber security within the UK, then how are they going to ensure that they are meeting their obligations?
It’s hard to build when the foundations are missing
It’s interesting that despite 19% of organisations being aware of the NCSC ten steps to cyber security, only 12% were compliant to all the requirements when asked about them. Less organisations are aware of the Cyber Essentials scheme(13% of organisations), which is based on the ten steps guidance, yet 51% of respondents were compliant with the 5 areas of that scheme.
This rise in compliance is interesting, as the 5 areas of the Cyber Essentials scheme link back to the 10 steps to cyber security yet the compliance is higher. Is a simpler approach giving organisations (e.g. Education, Social care, charities etc.) false comfort that they are compliant with the guidance when they aren’t looking at all the detail?
Are you aware of what is happening to your data?
The analysis on protective monitoring and incident management is equally telling, with 38% of organisations monitoring user activity, but only 4% of incidents being detected using monitoring systems. Even when an incident occurs, 33% of organisations do nothing afterwards; 17% of organisations that have had an incident cause an impact still do nothing afterwards.
This inability to know what is happening and lack of action afterwards is something that is is at odds with existing requirements within the baseline cyber 10 steps guidance and the ICO GDPR 12 steps guidance.
What can you do about this?
As I’ve already alluded to, the current baselines for cyber security and data protection are not being met in the responses to the recent DCMS study and this is leading to a wide disconnect between how boards perceive themselves and the actual maturity in terms of the actions they take.
Whilst the current guidance from regulators is being condensed into “as long as you have appropriate security you’re OK in the short term” the reality is much different, especially if you have an ISO certification to maintain.
I recommend that you look to understand your information, specifically:
- the location of the data (how do you know where it is being stored, or if it has been deleted?)
- the format of the information (what is the asset?)
- the disclosure requirements (can you share it, and what are the requirements?)
- the retrieval requirements (the retention period and can you access the information throughout that period?)
- the handling requirements (does it need encryption, where can it be accessed from, what right of audit is there?)
Review how you are doing against the cyber 10 steps and GDPR 12 steps guidance, including an action plan of how to address the gaps.
If you are using Cloud services now, then review how you are using these services.
None of this in insurmountable but it requires the board to engage with the risk management regime to ensure that they are in control.